Hi Bruce, Bruce:
All Organization Validated SSL certificates are issued using a three part process. The applicant's business name is validated against a third party database (e.g. D&B or government registry). Domain names are validated via a WHOIS lookup to ensure that the domain is registered to the business or that the applicant has the right to use the domain (i.e. parent or subsidiary company of registrant). Finally, an employee of the applicant is contacted through a phone number found in a third party source to confirm authorization to issue the certificate. See the Entrust enrollment guide for more details on the verification process http://www.entrust.net/ssl-resources/pdf/ssl-wap-enrollment-guide.pdf. This process is audited as part of our WebTrust for CA audit. FYI, Entrust does not issue Domain-only Validated SSL certificates.
Thank you for providing us with this information. If I understand correctly (also according to the enrollment guide) if the WHOIS records don't match those of the subscriber, the process is stopped and the request rejected? Therefore the example I made previously wouldn't be acceptable?
Also, do you request from subscribers to actually see some documents, like photo ID and company registration confirmation or similar? And how do you make sure that the subscriber is authorized for requesting a certificate? Also it seems that you rely only on confirming the (organization) details with that of the relevant authority (like company registry)? Are there any other cross-verifications you perform in order to establish sufficient authorization and privileges by the subscriber?
The reason I'm asking is because it appears to me that you don't perform some kind of administrative privilege check to verify domain ownership (and control), instead you rely on information provided by the subscriber and a phone call to the number you found in the phone directory for that business (and most likely by requesting to speak with the person who submitted the request).
In that respect, domain validation by automated means isn't such a bad thing to establish initial authorization and control over the domain.
Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
